Threat Intelligence Blog

No Safe Harbor in the Clouds

Will European Regulation Split the Cloud Market, with Social Media to Follow?

IT professionals are increasingly looking to cloud solutions for infrastructure, platform, network, and software services. Cost, expertise, and scalability are just some of the issues that come into play when considering the cloud. But, as always, security issues are also a concern. Depending on one’s perspective, however, there are varying opinions on the best ways to address them. Data security concerns are shared by all reputable and prudent businesses, and are often addressed by formal Information Protection solutions. But opinions and attitudes vary greatly between different regions of the world on other security issues.
A case in point may be the strained relationship between American and European partners regarding privacy rights, which might lead to substantial regulatory shifts.

Disagreements between the US and the EU regarding privacy issues are almost a given at this point. Google and Facebook – among others – are prominent examples for companies currently under scrutiny in Europe for alleged violations of data protection laws – essentially for offering the same products and terms to Europeans as they do in the US. But current events associated with news around US government surveillance efforts have added a new dynamic to those questions. And while the German Foreign Minister gave notice of intent to scrutinize the status quo in general by ending defunct administrative agreements pertaining to information sharing, the consequences might be more pronounced in another, maybe more important field: cloud computing.

Cloud computing over the Atlantic Ocean is tricky business already in terms of data protection and privacy laws. The authoritative legal framework, the Data Protection Directive (Directive 95/46/EC), prohibits the export of personal data of EU citizens into countries that don’t have a comparable level of privacy protection. Since the scattered landscape of American privacy laws is deemed less stringent than European codes, transfer of personal data to the US is generally prohibited.

The very concept of geographic location sounds odd when talking about cloud data on a technical level, as virtualization is the enabling technology behind cloud computing. Even the physical structure of redundant physical servers distributed maybe over multiple jurisdictions seems to slip away from local regulation. Or does it? The enforcement of EU laws against foreign providers aside, the regulatory lever sits wherever data enters the cloud or is transferred from a local system to a cloud structure not entirely based in the EU.

Cloud providers can’t escape the scope of the regulation by claiming they have no physical location tying them to the EU. The phrase ‘protection regardless of data location’ focuses on the data subject in the first place, and not where the data resides as far as the scope of the regulation is concerned. On the other hand, they cannot claim not to transfer data to a third country either. If data can be processed in any way (e.g. collected, organized, stored, retrieved, used, blocked, destroyed etc.) from outside the EU, a data transfer must have happened. An employee adding an EU-based contact to her company-issued smartphone and later synchronizing said phone and work computer via a foreign cloud service might have illegally exported data already.

Amazon, just to name one example, tried to address this problem by deploying local infrastructure and allowing customers to set “availability zones”. Currently, the strict rule is softened by a Safe Harbor exemption, which allows data export to hundreds of American companies certified as compliant with European standards. However, this exemption is under increasing pressure. German State and Federal Data Protection authorities have stopped issuing new certificates, increased the requirements for data exports to existing providers, and issued a letter to Chancellor Merkel urging her to persuade the European authorities and partners to suspend the Safe Harbor agreement with the US altogether. Yet the implications may not be fully appreciated.

The Cloud Security Alliance (CSA) polled their members to see if they would expect consequences for their business following the Snowden affair. While only a third of US companies in this not-representative poll said they expected any impact for American cloud providers for their non-domestic business, more than 50 percent of respondents from non-American organizations indicated that they would be less likely to use American cloud infrastructure in the future. Some sources estimate that American cloud providers may lose from $21.5 to $35 billion in cloud computing contracts with European customers over the next three years. This is in addition to populist calls to create not only a competitive European cloud infrastructure, but European social networking platforms as well.

Given the prevalence of American providers today, it is uncertain how the landscape will actually change. Some subject matter experts doubt the scale of possible shifts and point at superior products by existing American cloud providers; but the underlying assumption sees the decision-making process resting with the cloud customer alone. It would not be the first time that regulatory input would reshape the landscape of a certain market.

During the rather short life span of the Internet, we have already seen our fair share of unexpected turns. Maybe the next turn will be a more differentiated, more diverse Internet, where more languages and different platforms will mirror more closely a differentiated and diverse world. Privacy regulations might first impact clouds, but the concept of ‘availability zones’ might soon be broadened to include those for social media as well. Calls for domestic social networks based in Europe might lead nowhere – or may catch on as more users shift to localized services as the market matures.

We may also see more of a shift to US-based providers taking privacy regulations into consideration for other countries and changing their services. This is already happening to some extent – to name just one example, last year Twitter blocked certain Tweets by a Neo-Nazi group only for Germany. A trend in this direction would have immediate implications for threat intelligence experts, too. A truly global security strategy requires all of these issues to be taken into consideration.